I've found several security vulnerabilities in the whole product-line of a modem/router vendor. I've reported the vulnerabilities confidentially to the vendor. We got in contact, and they are currently working on updates for their products to be published - some updates are already out. In general I wait for the updates to be publically available before publishing any information on the issues (responsible disclosure).

A few weeks ago the vendor called me and appreciated the way of dealing with the issues. Then they asked if I would agree with not publishing any information on these issues. Their problem: Most of their customers are not very technically experienced and since there isn't an automatic update-process, most of them just won't update to fix the security issues.In return they would pay me an amount of money for my effort or sponsor a training like the OSCP.

What to do ? Take the money and shut up ? Give this story to the press ?

Interesting position to find yourself in, and in some ways I feel for the vendors position as well.

Its not unusual for security professionals to enter into NDA when dealing with a client, and in some cases the vendor can't be 'totally' responsible if users don't update their own systems (but imo it should provide default, auto update facility for a device which is essentially set and forget for most).

Ultimately, I'd say the decision is yours alone, with no real right or wrong answer. Training is expensive, and security practitioners deserve to be paid for their skills and effort. On the other hand it is likely (no offense intended) that other parties are either already aware of the weakness or will be in the future, however I'd also suggest that users that don't apply vendor supplied updates, probably arent reading through the infosec community looking for vulnerabilities in their network either.

If I was in your shoes? You've found a flaw, the vendor has resolved the issue. Hard work is done, time to get paid.

(and if this wasn't the ethical hacker network, I'd int out that coincidences happen, and it's not impossible for an unrelated third party to reverse a patch, identify the flaw fixed and release......)

They are working under the (probably misguided) assumption that you are the only person that knows about the vulnerability. The problem with their approach is that while a fix might be available, they are withholding important information from their clients about why they should patch!

ziggy_567 wrote: The problem with their approach is that while a fix might be available, they are withholding important information from their clients about why they should patch!

Without more info, I'll come to the vendors defence on this one. Just because a PoC and detailed analysis isn't released doesn't mean end users (who probably wouldn't understand a PoC anyway) can't be provided with information sufficient to tell them why a patch is required.

Microsoft (et al.) security bulletins will detail the scope of the effective issue, but rarely provide enough technical information to allow a third party to replicate the issue with further debugging, analysis and reversing.

Do you wait or research every update to your own systems before applying? Or accept that the vendor is (supposedly) fixing an identified issue?

Do you wait or research every update to your own systems before applying? Or accept that the vendor is (supposedly) fixing an identified issue?

No. I don't wait for the research to patch issues. But, when research is already done, I don't see a valid reason for suppressing it. Generally speaking, a lot of times it turns out worse for the vendor than to just be upfront with the PoC/research.

If there's enough market saturation of their product, the bad guys will be motivated to produce their own exploit. And by releasing a patch, they pretty much have what they need to do so. Taking the company's logic one step forward, if the company feels that their user base isn't technically proficient enough to patch (as the original poster stated) AND the patch might provide enough detail for an attacker to develop their own exploit, should they have even release the patch?

I don't know that this company is doing anything untoward, but by the way it's been presented so far, it sounds a lot like "hush" money.

by the way it's been presented so far, it sounds a lot like "hush" money.

For years, security researchers have essentially worked for free by researching security issues and reporting them to vendors. Many vendors now pay for vulnerabilities. If they pay, they can dictate the terms of disclosure.

Third parties are also purchasing vulnerabilities and demanding an NDA. Some just wish to report the vulnerability through their service, possibly after their product (IDS/IPS) can detect it. Others (e.g. government agencies) purchase exploits against major products so they can use them offensively.

If the vendor will pay you for your time, take the money. How they decide to report is up to them.

I'll side with accepting the payment. Hell maybe offer them to put you on retainer. But yes, time is money and I see nothing wrong with accepting it, but I would also ensure you are still allowed to continue testing.

If there's enough market saturation of their product, the bad guys will be motivated to produce their own exploit. And by releasing a patch, they pretty much have what they need to do so. Taking the company's logic one step forward, if the company feels that their user base isn't technically proficient enough to patch (as the original poster stated) AND the patch might provide enough detail for an attacker to develop their own exploit, should they have even release the patch?

And this is exactly the problem! Most of my found vulnerabilities might be easy to reproduce for an attacker, even if they only state the type of the vulnerability in their patch notes. So patching it silently might be the right way here. But the problem will still persist on the devices of the people who simply cannot update due to a missing technical understanding. If the devices would auto-update, this wouldn't probably be a problem, but this is not implemented for some reasons.

So the vendor doesn't like to see the vulnerability to be disclosed because of loosing reputation and of course to protect their customers in the obvious "security through obscurity" way.

@3xban:I had a talk with the product manager again about the situation and he clearly stated that they appreciate all of my further findings too.

I finally agree with unicityd - if and how they report this issue to their customers is their descision/problem, so I decided to take their offer.